Legal · The Mum Hub
Privacy Policy (UK GDPR)
How we collect, use and protect personal data under the UK GDPR and Data Protection Act 2018.
Last updated: 3 June 2026
Controller & contact
The Mum Hub Marketplace Ltd is the data controller. For privacy questions or to exercise your rights, contact our Data Protection Officer at privacy@babyhub.co.uk.
Data we collect
Account data (name, email, password hash, avatar), profile data (children's age bands you enter, preferences), order data (items, delivery address, billing details, handover codes), payment data (processed by our payment provider; we receive a tokenised reference, never full card numbers), messaging and community content, support tickets, device & usage data (IP address, browser, pages viewed, referrer), cookie and consent records, and any data you choose to upload (photos, listings, reviews).
How we use it (lawful bases)
Contract (Art. 6(1)(b)): to create your account, process orders, deliver goods, run Buyer Protection and handle disputes. Legitimate interests (Art. 6(1)(f)): fraud prevention, platform security, service improvement, internal analytics, defending legal claims. Legal obligation (Art. 6(1)(c)): tax, accounting, consumer law, product safety, anti-money-laundering, responding to lawful requests. Consent (Art. 6(1)(a)): marketing emails, non-essential cookies and any optional personalisation; you can withdraw at any time.
Children
The Mum Hub is intended for parents, carers and guardians aged 18+. We do not knowingly collect personal data from children. The 'age band' fields on a child profile contain no name, date of birth or identifying detail and are used only to tailor product recommendations to the parent account holder.
Sharing
We share personal data with: Sellers (only the data needed to fulfil an order), our payment processor and Stripe Connect for payouts, delivery carriers, fraud and identity-verification providers, cloud hosting and database providers, email and SMS gateways, analytics providers (only with consent), professional advisers, and regulators or law enforcement where required by law. We do not sell personal data.
International transfers
Where data is transferred outside the UK, we rely on UK Adequacy Regulations, the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum, together with appropriate supplementary measures.
Retention
Account data is kept while your account is active and for up to 6 years after closure to meet tax and consumer-law obligations. Order and payment records: 6 years. Marketing data: until you unsubscribe. Support tickets: 3 years. Cookie consents: 12 months. CCTV / fraud logs: 12 months.
Your rights
You have the right to: access your data, correct it, erase it, restrict or object to processing, port your data, withdraw consent, and complain to the Information Commissioner's Office (ico.org.uk). Email privacy@babyhub.co.uk to exercise any right. We respond within one calendar month.
Security
We use HTTPS everywhere, encryption at rest, row-level security on our database, hashed passwords, principle-of-least-privilege access, audit logging and regular vulnerability scanning. No system is perfectly secure; please use a strong unique password and enable any available account-security features.